Latest CVE Feed

  1. Home
  2. Vulnerabilities
  3. Latest
Following is the list of latest published vulnerabilities. You can filter the list based on the severity of the vulnerability, whether it is actively exploited (also known as CISA KEV List) or remotely exploitable. You can also sort the list based on the published date, last updated date, or CVSS score.
Latest Critical Actively Exploited Remotely Exploitable
Published Last Updated CVSS Score

  • 7.5

    HIGH
    CVE-2025-63889

    The fetch function in file thinkphp\library\think\Template.php in ThinkPHP 5.0.24 allows attackers to read arbitrary files via crafted file path in a template value.... Read more

    Affected Products : thinkphp
    • Published: Nov. 20, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Path Traversal

  • 9.8

    CRITICAL
    CVE-2025-63888

    The read function in file thinkphp\library\think\template\driver\File.php in ThinkPHP 5.0.24 contains a remote code execution vulnerability.... Read more

    Affected Products : thinkphp
    • Published: Nov. 20, 2025
    • Modified: Nov. 25, 2025
    • Vuln Type: Injection

  • 7.3

    HIGH
    CVE-2025-66079

    Missing Authorization vulnerability in Jegstudio Gutenverse Form gutenverse-form allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Gutenverse Form: from n/a through <= 2.2.0.... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Authorization

  • 6.4

    MEDIUM
    CVE-2025-5092

    Multiple plugins and/or themes for WordPress are vulnerable to Stored Cross-Site Scripting via the plugin's bundled lightGallery library (<= 2.8.3) in various versions due to insufficient input sanitization and output escaping on user supplied attributes.... Read more

    Affected Products : ibtana
    • Published: Nov. 20, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Cross-Site Scripting

  • 9.8

    CRITICAL
    CVE-2025-13410

    A vulnerability has been found in Campcodes Retro Basketball Shoes Online Store 1.0. Affected is an unknown function of the file /admin/receipt.php. Such manipulation of the argument tid leads to sql injection. The attack can be executed remotely. The exp... Read more

    • Published: Nov. 19, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-13411

    A vulnerability was found in Campcodes Retro Basketball Shoes Online Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/admin_football.php. Performing manipulation of the argument product_image results in unrestricted... Read more

    • Published: Nov. 19, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Misconfiguration

  • 6.1

    MEDIUM
    CVE-2025-13484

    A vulnerability was identified in Campcodes Complete Online Beauty Parlor Management System 1.0. This vulnerability affects unknown code of the file /admin/customer-list.php. The manipulation of the argument Name leads to cross site scripting. The attack ... Read more

    • Published: Nov. 20, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Cross-Site Scripting

  • 6.1

    MEDIUM
    CVE-2025-13412

    A vulnerability was determined in Campcodes Retro Basketball Shoes Online Store 1.0. Affected by this issue is some unknown functionality of the file /admin/admin_running.php. Executing manipulation of the argument product_name can lead to cross site scri... Read more

    • Published: Nov. 19, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Cross-Site Scripting

  • 5.4

    MEDIUM
    CVE-2025-66113

    Missing Authorization vulnerability in ThemeAtelier Better Chat Support for Messenger better-chat-support allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Better Chat Support for Messenger: from n/a through <= 1.2... Read more

    Affected Products :
    • Published: Nov. 21, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2025-66072

    Missing Authorization vulnerability in Stiofan UsersWP userswp allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects UsersWP: from n/a through <= 1.2.47.... Read more

    Affected Products : userswp
    • Published: Nov. 21, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2025-66071

    Missing Authorization vulnerability in tychesoftwares Custom Order Numbers for WooCommerce custom-order-numbers-for-woocommerce allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Custom Order Numbers for WooCommerce... Read more

    • Published: Nov. 21, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Authorization

  • 9.8

    CRITICAL
    CVE-2025-13485

    A security flaw has been discovered in itsourcecode Online File Management System 1.0. This issue affects some unknown processing of the file /ajax.php?action=login. The manipulation of the argument Username results in sql injection. The attack may be lau... Read more

    Affected Products : file_management_system
    • Published: Nov. 21, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Injection

  • 7.8

    HIGH
    CVE-2025-11001

    7-Zip ZIP File Parsing Directory Traversal Remote Code Execution Vulnerability. This vulnerability allows remote attackers to execute arbitrary code on affected installations of 7-Zip. Interaction with this product is required to exploit this vulnerabilit... Read more

    Affected Products : windows 7-zip
    • Published: Nov. 19, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Path Traversal

  • 7.3

    HIGH
    CVE-2025-63719

    Campcodes Online Hospital Management System 1.0 is vulnerable to SQL Injection in /admin/index.php via the parameter username.... Read more

    Affected Products : online_hospital_management_system
    • Published: Nov. 19, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Injection

  • 5.3

    MEDIUM
    CVE-2025-13147

    Server-Side Request Forgery (SSRF) vulnerability in Progress MOVEit Transfer.This issue affects MOVEit Transfer: before 2024.1.8, from 2025.0.0 before 2025.0.4.... Read more

    Affected Products : moveit_transfer
    • Published: Nov. 19, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Server-Side Request Forgery

  • 9.8

    CRITICAL
    CVE-2025-13420

    A weakness has been identified in itsourcecode Human Resource Management System 1.0. This issue affects some unknown processing of the file /src/store/EventStore.php. This manipulation of the argument eventSubject causes sql injection. The attack can be i... Read more

    Affected Products : human_resource_management_system
    • Published: Nov. 19, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Injection

  • 9.8

    CRITICAL
    CVE-2025-13422

    A vulnerability was detected in freeprojectscodes Sports Club Management System 1.0. The affected element is an unknown function of the file /dashboard/admin/change_s_pwd.php. Performing manipulation of the argument login_id results in sql injection. The ... Read more

    Affected Products : sports_club_management_system
    • Published: Nov. 20, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Injection

  • 5.9

    MEDIUM
    CVE-2025-36161

    IBM Concert 1.0.0 through 2.0.0 could allow a remote attacker to obtain sensitive information, caused by the failure to properly enable HTTP Strict-Transport-Security. An attacker could exploit this vulnerability to obtain sensitive information using man ... Read more

    Affected Products : linux_kernel concert
    • Published: Nov. 20, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Information Disclosure

  • 9.8

    CRITICAL
    CVE-2025-64428

    Dataease is an open source data visualization analysis tool. Versions prior to 2.10.17 are vulnerable to JNDI injection. A blacklist was added in the patch for version 2.10.14. However, JNDI injection remains possible via the iiop, corbaname, and iiopname... Read more

    Affected Products : dataease
    • Published: Nov. 20, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Injection

  • 5.1

    MEDIUM
    CVE-2025-62731

    SOPlanning is vulnerable to Stored XSS in /feries endpoint. Malicious attacker with access to public holidays feature is able to inject arbitrary HTML and JS into website, which will be rendered/executed when opening multiple pages. By default only admini... Read more

    Affected Products : soplanning
    • Published: Nov. 20, 2025
    • Modified: Nov. 24, 2025
    • Vuln Type: Cross-Site Scripting
Showing 20 of 4537 Results